atmos
/
ban2fail
mirror of https://github.com/jrbrtsn/ban2fail
1
1
Fork 0
Code Issues Releases Wiki Activity
ban2fail/ban2fail.cfg

183 lines
3.8 KiB
INI
Raw Permalink Blame History

# By default, no number of offenses are tolerated
# Whitelist ourself
MAX_OFFENSES -1 {
# Put your server's IP addresses here
# IP= 1.2.3.4
IP= 127.0.0.1
# IP= dead:beef::20::32a
IP= ::1
}
# Allegedly legit servers
MAX_OFFENSES 50 {
# Google Ireland
IP= 2a00:1450:4864:20::32a
IP= 2a00:1450:4864:20::336
# Google EU
# Attempted to break in
# IP= 35.205.240.168
# Google US
IP= 09.85.216.42
# Attempted to break in
# IP= 130.211.246.128
IP= 209.85.166.194
IP= 209.85.166.195
IP= 209.85.208.67
IP= 209.85.214.194
IP= 209.85.215.173
IP= 209.85.215.175
IP= 209.85.215.193
IP= 209.85.216.42
IP= 2607:f8b0:4864:20::1034
IP= 2607:f8b0:4864:20::a46
# Yahoo
IP= 106.10.244.139
# Outlook
IP= 40.92.4.30
IP= 40.107.73.61
IP= 40.107.74.48
IP= 40.107.74.72
IP= 40.107.76.74
IP= 40.107.79.52
IP= 40.107.79.59
IP= 40.107.80.40
IP= 40.107.80.53
IP= 40.107.80.78
IP= 40.107.82.75
IP= 52.101.129.30
IP= 52.101.132.108
IP= 52.101.136.79
IP= 52.101.140.230
}
# "trusted" addresses
MAX_OFFENSES 200 {
# me from home
# IP= 1.2.3.4/20
# Customer
# IP= 5.6.7.8/24
}
LOGTYPE auth {
# Where to find the log files
DIR= /var/log
PREFIX= auth.log
# How to read the timestamp
TIMESTAMP auth_ts {
# isolates the timestamp from a line matched by a TARGET
REGEX= ^(.*) srv
# Passed to strptime() to intrepret the timestamp string
STRPTIME= %b %d %T
# These stamps do not include the year, so it is implied.
FLAGS= GUESS_YEAR
}
TARGET imap {
# Pattern to search for, isolates the IP address
REGEX= imapd.*Login failed.*\[([0-9.a-f:]+)\]$
# Assign this as the severity of the offense.
SEVERITY= 3
}
TARGET ssh {
SEVERITY= 4
REGEX= sshd.*Failed password.*from ([0-9.a-f:]+) port [0-9]+ ssh2$
REGEX= sshd.*Invalid user.*from ([0-9.a-f:]+) port
}
TARGET negotiate_fail {
SEVERITY= 2
REGEX= Unable to negotiate with ([0-9.a-f:]+) port
}
TARGET dovecot {
SEVERITY= 3
REGEX= dovecot.*authentication failure.*rhost=([0-9.a-f:]+)
}
}
LOGTYPE exim4 {
DIR= /var/log/exim4
PREFIX= mainlog
TIMESTAMP exim4_ts {
REGEX= ^([-0-9]+ [0-9:]+)
STRPTIME= %F %T
}
TARGET smtp_auth {
SEVERITY= 3
REGEX= [[:alnum:]_]+ authenticator failed for .*\[([0-9.a-f:]+)\]
REGEX= \[([0-9.a-f:]+)\] [[:alnum:]_]+ authentication mechanism not supported
} # smtp_auth
TARGET smtp_send {
SEVERITY= 9
REGEX= \[([0-9.a-f:]+)\] P=.*A=[[:alnum:]_]+_server:
} # smtp_send
TARGET spam {
REGEX= H=.* \[([0-9.a-f:]+)\].*rejected RCPT.*Unrouteable address
REGEX= : ([0-9.a-f:]+) is listed at zen.spamhaus.org
REGEX= H=.* \[([0-9.a-f:]+)\].*rejected RCPT.*SPF check failed
REGEX= \[([0-9.a-f:]+)\]: SMTP error.*: 451 relay
REGEX= \[([0-9.a-f:]+)\] F=.*rejected RCPT.*Sender verify failed
} # spam
TARGET brain_damage {
REGEX= H=.* \[([0-9.a-f:]+)\].*rejected after DATA: maximum allowed line length
REGEX= SMTP protocol synchronization error.* rejected.* H=\[([0-9.a-f:]+)\]
} # brain_damage
}
LOGTYPE apache2 {
DIR= /var/log/apache2
PREFIX= access.log
TIMESTAMP apache2_ts {
REGEX= ^[0-9.a-f:]+ - - \[([^ ]+)
STRPTIME= %d/%b/%Y:%T
}
TARGET worm {
REGEX= ^([0-9.a-f:]+) .*(thinkphp|elrekt\.php|download\.php|ysyqq\.php|Login\.php|phpmyadmin|cfgss\.php|wallet\.dat|y000000000000\.cfg)
}
}
LOGTYPE openvpn {
DIR= /var/log
PREFIX= openvpn.log
TIMESTAMP openvpn_ts {
REGEX= ^(.*) client/
STRPTIME= %a %b %d %T %Y
}
TARGET client {
SEVERITY= 9
#Tue Dec 3 10:52:22 2019 client/184.185.212.118:38752 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
# REGEX= client/([0-9.a-f:]+):[0-9]+ Control Channel:
}
}
Reference in New Issue View Git Blame Copy Permalink